it may sound stupid but you could see each member computer as a very small domain with its own local users. As domains that trust each other have trusts in between the same applies for the member computer in the form of a computer account in the domain (with the domain sid and a unique RID in the domain) and a secure channel between the actual computer and its computer account the SID of the actual computer has no relation with the SID of the domain as the SIDs of two domains that trust each other also have no relationship Does this help? Cheers, #JORGE#
________________________________ From: [EMAIL PROTECTED] on behalf of Hanumara, Rao Sent: Fri 7/22/2005 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to identify SIDs in AD? Thanks for your response. I have looked at user SIDs and they are no different than computer SIDs except for the last four digits. What I am trying to understand is the relationship between computer and AD? Rao/.. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 21, 2005 4:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to identify SIDs in AD? joe will undoubtedly reply, but here's a couple of things to consider. You've looked at the AD SID for a computer object. Did you look at one for a user or a group? What you SHOULD find is that the SID is going to share some specific similarities. For instance: S-1-5-21-3779066958-2660189832-1200827 will be the same SID prefix for all security principal objects in your domain. Each domain will have its own unique SID. RIDs are appended to uniquely identify an object in the domain. So, your computer had a Relative Identifier (RID) of 3391 (Remember the FSMO role of RID Master?) The Administrator BY DEFAULT will be: S-1-5-21-3779066958-2660189832-1200827-500 Guest WILL BE: S-1-5-21-3779066958-2660189832-1200827-501 The Domain Admins group WILL BE: S-1-5-21-3779066958-2660189832-1200827-512 After the default groups ( the Builtin groups have SIDs that are pre-programmed for Special Purposes), users, etc. are all created, the RID Master will start handing out RIDs from 1000 on. So, knowing that each and every workstation joined to a domain must have a unique object SID - what would the next assumption then be if I have 7 workstations that have the same workstation SID (each of them are an independtly operating NT system with security principals of their own) trying to join a functional AD system? You're not at square one - you have all of the information in front of you - you just need to put the pieces together. ;-) Take a swing.... I'll drop more bread crumbs if needed. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hanumara, Rao Sent: Thursday, July 21, 2005 2:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to identify SIDs in AD? Joe, Undoubtedly your program is of great value for folks like me. Actually, I tried the program few days ago, but could not set correct parameters. This shed more light of what I wanted to know. AD assigns a Unique SID when a workstation or user joins domain. This has no impact of what workstation SID is. I used your program and captured Computer and User objects. Then I used psGetSID from psTools on a workstation. What I found was that the last segment was randomly assigned by AD. Workstation SID has only 7 segments and AD SID attribute has 8 segments. AD - Sid:S-1-5-21-3779066958-2660189832-1200827-3391 Workstation SID:S-1-5-21-2214242676-972441917-2900879380 This revelation puts me back to my Square 1 question. What makes the difference if several workstations have same SID generated by Ghost (Symantec) image in authenticating during login process? While framing my original question, I thought that AD will store Workstation SID somewhere in database and use that information to authenticate. Thanks, Rao/.. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 21, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to identify SIDs in AD? SIDS of Active Directory objects are stored in the objectSID attribute. If you have done some form of migrations or move of users or groups from one domain to another, the sIDHistory attribute will also be populated. The last sentence you have of something that matches workstation SID with the workstations objectSID in AD would have to be a script to do that. There is no attribute in AD that maintains the workstation SID, AD doesn't care about that SID, it only cares about the objectSID assigned to the computer object for the workstation which is different. To tackle that problem, you would have to write a script that enumerated all of the AD Computer objects and their objectSIDs, then have the script reach out to each of those computers individually and query for its SID (just ask for the administrator SID on each of the machines and chop off the RID at the end) and then produce your mapping. To easily display SIDs from AD, you could use my adfind utility, to dump all computer objects in a forest and their SIDs you would do something like adfind -gc -b "" -f objectcategory=computer objectSID If you pipe that output to a file, you could then use the adcsv (in the adfind zip file) script to take that output and put it into a CSV format for easier consumption by something else. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hanumara, Rao Sent: Thursday, July 21, 2005 9:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to identify SIDs in AD? Hello, I am new to the list and also new to AD. We are running few problems with Ghost Images deployment. Is there any utility that can show SID on the Domain Controller. We have AD and DNS implemented on our DC. MS Administrative tools just shows me members of AD, DNS Forward and Reverse lists. What I want to see is SIDs of AD Computers/Users. Where they are stored and how to see them? I really want a report that matches Workstation SID with AD SID in computers. Thanks in Advance, Rao/.. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
